Exploit in Google Hangouts allows attackers to take over devices - just by sending a text

A major Android vulnerability that could allow hackers to take over devices simply by sending a text message has been discovered by a security researcher.

Joshua Drake, who works with Zimperium, announced findings this week of the vulnerability, which does not require the user to download or open an attachment to fall victim to an attack. Upon receiving the text message, the device is instantly infected - before the user even receives a notification about the message.

Most worrying is the fact that the vulnerability is prevalent on all versions of Android, the preferred operating system of about 80% of the world's smartphone users.

The bug is actually in Google Hangouts, a messaging app for Android. That app instantly processes videos when they're received so that they appear in the device's gallery without the user having to save them. However, that leaves the door open to attackers - all a cyber-criminal would have to do is to embed malicious code within a video file, and text the video to a victim's number.

Company Articles

If the victim uses Google Hangouts, there is no line of protection against the attack once that text has been sent. The video is processed upon receipt of the message, and from there, the attacker can take over the device's microphone, camera, GPS, or indeed just about any feature.

For Android users who stick with the default messaging app, rather than Hangouts, there is at least a chance of not becoming infected; the vulnerability will only be exploited if the text message is viewed. However, given that viewing unopened messages is something of a reflex for most smartphone users, this is hardly a solid line of defence.

Drake has shared his findings with Google, which has already issued a patch for the vulnerability. However, due to the way in which Android updates are pushed out, many users won't see the fix. Google can issue a patch to device manufacturers, but it is up to the manufacturers to push those updates out once they have adapted the patch to their own flavour of Android. Unfortunately, manufacturers are slow in this regard, meaning most Android devices out in the wild will remain unpatched for a considerable amount of time.

Until your Android device is patched, then, perhaps the best course of action would be to delete Hangouts, and to think twice before opening any unsolicited text messages.